使用 Python smtplib 发送没有密钥文件(仅证书文件)的电子邮件
问题描述
尝试使用以下脚本发送带有证书文件的电子邮件:
Trying to send email with a certificate file using the following script:
import smtplib
client = smtplib.SMTP(myhost, myport)
client.ehlo()
client.starttls(certfile=mycertfile)
client.ehlo()
client.login(myusername, mypassword)
client.sendmail(sender, receiver, Message)
client.quit()
我收到以下错误:
SSLError: error:140B0009:SSL routines:SSL_CTX_use_PrivateKey_file:PEM lib
我认为文档(smtplib.html 和ssl.html) 说我需要提供一个私钥.我只有证书文件(base64 PEM 格式).我的 devops 说在这种情况下不需要私钥,因为我不需要识别连接的本地端.
I think documentations (smtplib.html and ssl.html) say I need to provide a private key. I only have the certificate file (base64 PEM format). My devops says that a private key is not required in this case because I do not need to identify the local side of the connection.
有没有办法在不提供私钥的情况下发送电子邮件?如果需要私钥,为什么?
Is there a way to send the email without providing the private key? If a private key is required, why?
解决方案
有两种使用 SSL/TLS 的方法:客户端经过身份验证和客户端未经身份验证的基本".在客户端经过身份验证的连接中,服务器和客户端都向对方发送证书.在基本"中,只有服务器可以.
There are two ways to use SSL/TLS: client authenticated and "basic" where the client is unauthenticated. In client authenticated connections, the both the server and the client send a certificate to the other. In "basic" only the server does.
如果您既没有传递证书也没有传递密钥文件,smtplib
将使用基本连接,在此对客户端进行身份验证.
If you pass neither a certificate nor a keyfile, smtplib
will use a basic connection, where the client is authenticated.
如果您使用证书,它将用于经过客户端身份验证的连接.在这种情况下,服务器将要求客户端通过签署握手消息来表明它拥有证书.为了让客户端能够做到这一点,它还需要私钥,它可以在证书文件中,也可以作为单独的密钥文件.
If you use a certificate, it will be used for a client authenticated connection. In that case, the server will demand that the client shows it owns the certificate by signing a handshake message. For the client to be able to do that it also needs the private key, which can be either in the certificate file or as a separate keyfile.
长话短说,如果要使用客户端证书,还必须使用密钥.如果没有,您可以将两者都留空.
Long story short, if you want to use a client certificate, you must also use a key. If not, you can just leave both empty.
OTOH,也许您有要用于连接的服务器证书文件或 CA 列表?
OTOH, maybe you have a server certificate file or CA list you want to use with the connection?
在这种情况下,您需要将其传递给 ca_certs
参数中的 ssl.wrap_socket
.由于您使用 Python 2.6,因此使用 smtplib
并没有简单的方法来做到这一点(Python 3.3+ 对 context 参数.org/3.4/library/smtplib.html#smtplib.SMTP.starttls" rel="nofollow">starttls).
In that case you need to pass it to ssl.wrap_socket
in the ca_certs
parameter. Since you use Python 2.6 there's no easy way to do that with smtplib
(Python 3.3+ has a context
argument to starttls).
如何解决这个问题取决于您的应用程序.例如,如果您不需要 ssl
来做其他任何事情,一个骇人听闻的解决方案是将 ssl.wrap_socket
与提供您的 ca_cert
(可能还有 cert_reqs=CERT_REQUIRED
).
How to solve this depends on your application. For example, if you do not need ssl
for anything else, a hackish solution would be to monkey-patch ssl.wrap_socket
with one that provides your ca_cert
(as well as cert_reqs=CERT_REQUIRED
, likely).
更完整的解决方案是使用您自己的允许传入这些参数的变体扩展 smtplib.SMTP
.
A more full blown solution would be to extend smtplib.SMTP
with your own variant that does allow passing in those parameters.
相关文章